Snyk Vulnerability in Pushy 0.15.4 (netty-handler@4.1.104.Final) #1099
Replies: 2 comments · 2 replies
-
|
Can you please provide a link to the specific vulnerability? To manage expectations, most of the time, these are false alarms. It's probably true that there's a vulnerability in |
Beta Was this translation helpful? Give feedback.
-
|
This was the vulnerability reported |
Beta Was this translation helpful? Give feedback.
-
|
Thank you. That does seem somewhat relevant, though I think the risk is very low because Pushy is generally talking to trusted servers. Still, we should update. |
Beta Was this translation helpful? Give feedback.
-
|
@jchambers wanted to check in and see if there are any updates regarding this vulnerability. Do you have an estimated timeline for when the fix might be released? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I’ve noticed a high-severity vulnerability reported by Snyk in Pushy 0.15.4. The issue is related to the
netty-handler@4.1.104.Finaldependency (used incom.eatthepath:pushy@0.15.4›io.netty:netty-codec-http2@4.1.104.Final›io.netty:netty-handler@4.1.104.Final).As per the documentation, Pushy 0.15.4 is the latest version, and it depends on netty-handler@4.1.104.Final, which has the vulnerability.
I have a few questions:
Is there a new version of Pushy planned that fixes this vulnerability?
Or, can I exclude netty-handler@4.1.104.Final and try using a newer version of netty-handler that doesn't have the vulnerability? Would this be compatible with Pushy 0.15.4?
I’d appreciate your help and suggestions. Looking forward to your reply. Thanks.
Beta Was this translation helpful? Give feedback.
All reactions